CVE-2021-44228 log4shell vulnerability

Summary

A vulnerability affecting the Java logging library Apache Log4j 2 has been publicly disclosed for versions prior to 2.15.0. On-premises Jira and Confluence instances, and by extension, our apps do not use the affected library. However, your instance may still be exposed depending on local configuration.

Default on-premises Jira/Confluence configurations are not vulnerable

Jira and Confluence use log4j 1.2.x that is not vulnerable unless customizations are made to the local log4j configuration. This can introduce the vulnerability. See the Atlassian FAQ for more:

All our apps use the Platform provided log4j implementation which is 1.2.x

Validation

We have performed our own validation using a proof-of-concept found online. We verified that the version of log4j shipped with Jira did not result in a replication when using the default logger configuration.

JEMH specific testing

As JEMH specifically processes user generated content we have also verified that the exploit doesn’t work from email content with default configurations of log4j.

Related links:

 

This is duped in KB: CVE-2021-44228 - log4shell, and CVE-2021-45046